In an effort to keep the ControlTrends Community in the loop during Cybersecurity Month, here is an interesting update on how IoT devices including microwaves, toys, thermostats, and security cameras are to be securitized. Of particular interest was the My Friend Cayla Smart Doll — a prime target for cyber hackers, who can use the toy’s technology to spy on families and collect private information — because the doll is designed to collect and transmit everything it hears to a voice recognition company. Yikes!

In short, the bills basically direct IoT device manufacturers to equip their devices with reasonable security features, requiring companies to take responsibility for considering the security aspects of their devices as they’re developed and produced.

Gov. Jerry Brown has signed two bills that could make manufacturers of Internet-connected devices more responsible for ensuring the privacy and security of California residents.

The governor’s office announced on September 28 that Brown had signed the legislation, Assembly Bill 1906 and Senate Bill 327. He had until the end of the day on Sept. 30 to do so. Both bills will become law in about 15 months, on Jan. 1, 2020. That delayed effect, one of the lawmakers behind the legislation said, is designed to hold industry accountable but not stifle innovation or unduly burden it with regulation. Senate Bill 327 is the older of the two and was introduced in Feb. 2017 by state Sen. Hannah-Beth Jackson, D-Santa Barbara, but as currently amended, the senator told Government Technology, is “pretty much a mirror” of AB 1906, introduced in January by Assemblywoman Jacqui Irwin, D-Thousand Oaks.

Both require manufacturers of connected devices to equip them with a “reasonable security feature or features” that are appropriate to their nature and function, and the information they may collect, contain or transmit — and are designed to protect the device and its information from “unauthorized access, destruction, use, modification or disclosure.”

The bills also specify that if such a device has a “means for authentification outside a local area network,” that will be considered a reasonable security feature if either the preprogrammed password is unique to each device made; or the device requires a user to create a new “means of authentication” before initial access is granted.

They define “connected device” as a device with an Internet Protocol (IP) or Bluetooth address, and capable of connecting directly or indirectly to the Internet.

Jackson said she’s had “concerns about privacy issues for many, many years,” and was prompted to act last year after hearing from constituents and learning that the My Friend Cayla smart doll, which had been banned in Germany due to concerns about the safety of children, had not been banned in the U.S. She questioned how IoT devices including microwaves, thermostats and security cameras were securitized and was shocked by the lack of security she found.

“This bill basically directs those manufacturers to equip their devices with reasonable security features,” Jackson said, adding she thinks the legislation is “the first of its kind” calling on companies to take responsibility for considering the security aspects of their devices as they’re developed and produced.

However, the question of what defines a “reasonable security feature or features” is one of several that industry groups — among them, the Security Industry Association, the National Electrical Manufacturers Association (NEMA) and the California Manufacturers and Technology Association (CMTA) — cited in their opposition to AB 1906.

In a statement provided to GT, the CMTA said the bills are an attempt to “create a cybersecurity framework by imposing undefined rules on California manufacturers,” but instead create a loophole allowing imported devices to “avoid implementing any security features.” This, it said, makes the state less attractive to manufacturers, less competitive and increases the risk of cyberattacks.

“We recommend an approach that would ensure that all connected devices are compliant and secure, no matter where they are produced. These two innovation-stifling measures not only fail to protect consumers, but will drive away California manufacturing investment,” the CMTA said.

The Entertainment Software Association, one of three industry groups including NEMA that are opposed to SB 327, said existing law already requires manufacturers to set up “reasonable privacy protections appropriate to the nature of the information they collect.”

Jackson said the bills still leave it to industry to use “their best judgment” to determine reasonable security and disagreed with the idea that the bills might create a loophole for imported devices.

“The concern, I think, is misplaced, because when the products are sold in this country, they will have to meet those standards even if they’re manufactured elsewhere,” she said.

State law would have allowed the bills to become law if they were neither signed by Brown nor vetoed — but both pieces of legislation specified they must be signed by the governor and can only become law if the other bill is also signed. A member of Jackson’s staff characterized this as a provision aimed at ensuring both houses remain on the same footing.

Editor’s Note: This story has been updated to indicate that the Governor signed both pieces of legislation. An earlier version was published before this was reported.

Theo Douglas is a staff writer for Government Technology. His reporting experience includes covering municipal, county and state governments, business and breaking news. He has a Bachelor’s degree in Newspaper Journalism and a Master’s in History, both from California State University, Long Beach.

Cyber Power Systems (USA), Inc., Shakopee, Minn. – Cyber Power Systems (USA), Inc., a leader in power protection and management products, today introduced an uninterruptible power supply (UPS) system designed to protect building and industrial controls and devices from power failure, interruptions, over-voltages and surges. The CyberPower BAS34U24V protects controller and server platforms, networking devices, data loggers, remote facility monitors, and other equipment from power disruptions to avoid loss of vital data and service failures. The UPS system is the first in a series of automation power-protection products to safeguard equipment within building automation systems (BAS), energy management systems (EMS) and other production-related systems which run smart buildings and factories.

CyberPower is launching the product at the 2018 ASHRAE Winter Conference and AHR Expo for the HVAC and controls industries, January 22-24, at McCormick Place in Chicago. During the AHR Expo, CyberPower will feature product briefings at booth #4058 in the Building Automation and Control Showcase at McCormick Place. The product is compliant to the Construction Specification Institute (CSI) Division 25 standard for integrated building automation regarding facility controller backup.

The CyberPower BAS34U24V serves the growing shift from siloed building systems to an interconnected system of Internet of Things (IoT) devices and sensors that collect and share data within and across portfolios. According to research by IHS Markit, there are more than 4.3 million IoT devices in use in the commercial and industrial electronics sector which includes smart buildings and factories, contributing to more than 27 billion connected IoT devices worldwide in 2017.

A UPS system engineered for control panels and edge networks

Designed for IoT technologies, the BAS34U24V is a UPS system featuring line-interactive topology to regulate voltage without having to switch to the battery.

“Today’s smart buildings and industrial systems rely on computing and analytics placed close to the network edge. The CyberPower BAS34U24V protects connected edgedevices on the plant or building floor, such as controllers and sensors, from damaging power events like surges, spikes and black-outs. The unit provides a continuous flow of clean power to ensure efficient building and equipment operation that, in turn, will flow clean data and analytics to maintain accurate building management,” said Tim Derochie, director of product management at CyberPower.

The UPS system provides DC power supply, surge protection and an internal, space-saving backup battery for long-lasting protection. Features of the CyberPower BAS34U24V include:

Compact form factor and DIN rail mount allows for secure installations inside controller cabinets.
A high density lithium-ion battery and an innovative electronic design with DC output yields an extended battery runtime of up to four hours at 80 percent rated capacity. SNMP internet-standard protocol provides critical information and alerts, such as remaining battery runtime and power conditions. Regulatory and safety certifications for the UPS system include UL 60950-1 and FCC Class B.

About Cyber Power Systems (USA), Inc.

CyberPower designs and manufactures uninterruptible power supply systems, power distribution units, surge protectors, remote management hardware, power management software, mobile chargers and connectivity products. The company serves customers in enterprise, corporate, industrial, government, education, healthcare and small office/home office environments. CyberPower products are available through authorized distributors and sold by value-added resellers, system integrators, managed service providers, select retailers and online resellers.

On August 1, 2017, the U.S. Government took a significant “lead by example” step forward in the battle of Internet of Things (IoT) security. Chief among the vendor commitments — that must be made to the U.S.Government: That their IoT devices are patchable; that the devices don’t contain known vulnerabilities; and that the devices don’t contain hard-coded passwords.

While ‘Internet of Things’ (IoT) devices and the data they transmit present enormous benefits to consumers, the relative insecurity of many devices presents enormous challenges.

Thus far, there has been a significant market failure in the security of these devices.

Sometimes shipped with factory-set, hard-coded passwords and oftentimes unable to be updated or patched, IoT devices can represent a weak point in a network’s security, leaving the rest of the network vulnerable to attack. Additionally, the sheer number of IoT devices – expected to exceed 20 billion devices by 2020 – has enabled bad actors to launch devastating Distributed Denial of Service (DDoS) attacks. This legislation is aimed at addressing the market failure by establishing minimum security requirements for federal procurements of connected devices.The legislation requires vendor commitments:

§ That their IoT devices are patchable.

§ That the devices don’t contain known vulnerabilities.

• If a vendor identifies vulnerabilities, it must disclose them to an agency, with an explanation of why the device can be considered secure notwithstanding the vulnerability and a description of any compensating controls employed to limit the exploitability/impact of the vulnerability.

• Based on this information, an agency CIO could issue a waiver to purchase the device.

§ That the devices rely on standard protocols.

• Outside experts emphasize the importance of having the vendor disclose what network protocols are in use, for instance to assist Department of Homeland Security (DHS)’s Einstein program.

§ That the devices don’t contain hard-coded passwords.

Recognizing that it may be infeasible for certain devices to meet those requirements, and in consideration of network-based technologies that can help manage risks from insecure devices:

§ Agencies may ask the Office of Management and Budget (OMB) for permission to purchase non-compliant devices if they can demonstrate that certain compensating controls have been employed.

§ The legislation empowers OMB, working with National Institute of Standards and Technology (NIST) and industry, to specify particular measures (such as network segmentation, use of gateways, utilization of operating system containers and microservices) for agencies to employ. While the legislation establishes modest new device security requirements, it offers flexibility to agencies to waive these requirements in the event that:

§ Agencies employ their own equivalent, or more rigorous, device security requirements; or

The legislation directs the DHS National Protection and Programs Directorate (NPPD) to:

§ Work with industry to develop coordinated disclosure guidelines for vendors selling IoT to the US government, which vendors would then adopt, allowing researchers to uncover vulnerabilities in those products and responsibly share them with the vendor, without fear of liability under the Digital Millennium Copyright Act (DMCA) or Computer Fraud and Abuse Act (CFAA).

• Vulnerabilities found and reported to vendors must be patched (or devices must be replaced) in a timely manner.
The legislation requires that agencies maintain an inventory of IoT devices in use.

§ Requires OMB to submit a report to Congress after 5 years on effectiveness of guidelines and any recommendations for updates.

The legislation allows OMB to waive, in whole or in part, any of the requirements after 5 years.

Marc Petock, a leading expert on Cyber Security, takes a close look at the ramifications and financial consequences of not taking aggressive measures to protect your business against cyber attacks.

As I have said, cyber security has a technology side and a business side. From a business perspective, the negative consequences that cyber incidents can cause are disruptive and potentially catastrophic. The value of taking additional measures to increase the cyber security posture of your control systems, far outweigh the risk of not making them secure.

Here are a few interesting items in the news of late related to the business side of cyber security.

Third-party vendor risk: The New York State Department of Financial Services (DFS) announced it will propose new cybersecurity regulations for financial institutions. The exact details of the regulations are being hashed but include a number of areas in which the DFS intends to act: Cyber Security Policies and Procedures, Third-Party Service Provider and Management, Multi-Factor Authentication, Appointment of Chief Information Security Officers, Application Security, Cyber Security Personnel and Intelligence, Annual Auditing, and Procedures for Noticing Cyber Security Incidents.

As noted, one of the new regulations focuses third party providers and suppliers and the requirement to implement policies and procedures to ensure the security of sensitive data or systems that are accessible to, or held by, third party providers. New regulations could mandate firms to “perform cyber security audits” of their third-party vendors or require third-party vendors to make “representations and warranties” about the state of their information security.

Cyber Attacks Could Now Affect Credit Ratings: Moody’s Investors Service announced that as cyber risks become more pervasive, it will take a higher priority within their analysis and that the credit implications associated with cyber defense, detection, prevention and response will start to take a higher priority within its credit assessments and analysis.

Target: Yes, even after 2 years since the Target cyber issue, they remain in the news. Target has to pay nearly $40 Million to settle with banks and credit unions who brought class action claims against the retailer for alleged losses the financial institutions suffered as a result of Target’s 2013 data breach. This most recent settlement comes on the heels of a $67 million settlement with Visa, and a $10 million settlement with consumers, both earlier this year. The most recent settlement brings Target’s total costs to a staggering $290 million (and it is far from over). This on top of lawsuits that are still pending, as well as regulatory enforcement and investigation actions by the FTC and various state attorneys general.

Insurance: Insurance companies are cracking down on insurance because of cyber security. They are beginning to evaluate and rate company cyber health and insure (or not) and charge accordingly. As such, insurance is becoming more sophisticated as the companies offering coverage begin to demand companies they insure meet specific cyber security requirements to be eligible for coverage; begin to determine premiums and policy coverage based on the implementation of those requirements or flat out choose not to offer coverage as the risk is too great due to ineffective cyber security practices and cyber security postures.

When it comes to cyber security, the business case is equally as important as the technology case. The operational, financial and reputational impacts to a business are tremendous.

ControlTrends Community, here it is. Participation is requested (and important)! DOE information release, November 17, 2014: On Wednesday, December 11, 2014 the Energy Department’s Office of Electricity Delivery and Energy Reliability in coordination with the Federal Smart Grid Task Force will conduct a webinar to conclude the development phase of a Voluntary Code of Conduct (VCC) related to privacy of customer energy usage data for utilities and third parties.

Background: Throughout the U.S., intelligence is being added to the grid through the deployment of advanced technologies and grid modernization efforts. This increased intelligence has led to concerns regarding consumer data access and the privacy of consumer energy consumption data. Historically, utilities have taken very seriously the job of protecting customers’ privacy, and privacy and security protections will remain fundamental objectives. However, with the new technologies being deployed today, these fundamental protections warrant new attention. Consumers must feel secure that their data will be protected and treated responsibly. Therefore, it is important that stakeholders on all sides of the privacy debate work together to address concerns and coordinate activities.

The webinar will summarize changes made to the VCC concepts and principles as a result of comments received through the public comment period. In addition, a proposed implementation plan and adoption process will be presented as well as preliminary results from focus groups conducted to gauge consumer sentiment.

Your participation is important! SmartGrid.gov. Please forward this email to your colleagues that may be interested in this initiative or future notices email alerts from SmartGrid.gov.

More information on the Voluntary Code of Conduct can be found on SmartGrid.gov. Please forward this email to your colleagues that may be interested in this initiative or future notices email alerts from SmartGrid.gov.